From faf86c2271258a045ffef1fd8f3fd9643b883643 Mon Sep 17 00:00:00 2001
From: Adam Henry Lewenberg <adamhl@stanford.edu>
Date: Fri, 16 Jun 2017 09:47:54 -0700
Subject: [PATCH] change how authorized_keys parameter in ssh is used

---
 NEWS             |  2 +-
 manifests/ssh.pp | 20 +++++++++++++++-----
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/NEWS b/NEWS
index 693e9af..d54ac21 100644
--- a/NEWS
+++ b/NEWS
@@ -23,7 +23,7 @@ release/005.007 (unreleased)
     [ssh] Add the parameter $pubkey to the ssh class to allow ssh key-pair
     logins (this way you do not have to do class inheritance). Also add a
     parameter to allow root users to login using ssh key-pairs. Both of
-    these parameters are set to false by default. [adamhl]
+    these parameters are set to have no effect by default. [adamhl]
 
 release/005.006 (2017-02-16)
 
diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index a6e9465..ae64e1c 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -22,18 +22,23 @@
 # server.
 # Default: false
 
-# $allow_pubkey_for_root: set to true if you want to allow root logins
-# using ssh key-pairs. This is especially useful for Kerberos KDCs that
+# $root_authorized_keys: Set this to a Puppet template URL to
+# instantiate that file as /root/.ssh/authorized_keys.
+# This is especially useful for Kerberos KDCs that
 # are not clients of the production KDC. Use with caution.
 # If you set this to true you should also set $pubkey to true.
-# Default: false
+#
+# Example:
+#    root_authorized_keys => template('mymodule/root/.ssh/authorized_keys.erb'),
+#
+# Default: undef
 
 class base::ssh(
   $pam_afs               = true,
   $pam_duo               = false,
   $pam_slurm             = false,
   $pubkey                = false,
-  $allow_pubkey_for_root = false,
+  $root_authorized_keys  = undef,
   $filter_sunetids       = [],
 ){
 
@@ -110,7 +115,12 @@ class base::ssh(
     notify  => Service['ssh'],
   }
 
-  if (! $allow_pubkey_for_root) {
+  if ($root_authorized_keys) {
+    file { '/root/.ssh/authorized_keys':
+      ensure => present,
+      content => $root_authorized_keys,
+    }
+  } else {
     # Make sure public key authentication to root does not work and clean up
     # after the authorized_keys file generated during the build process.  Some
     # clients (HPC) will need to override this (for GPFS, for example).
-- 
GitLab